Is skipEndpointValidationWhenSigned still an issue?

Brent Putman putmanb at
Wed May 25 14:33:26 EDT 2016

On 5/25/16 2:21 PM, Cantor, Scott wrote:
> On 5/25/16, 2:14 PM, "users on behalf of Yavor Yanakiev" <users-bounces at on behalf of yavor at> wrote:
> Their system *is* broken, and they are doubly wrong for requesting a response URL that doesn't match their metadata. There is no way around that fact.

Agreed 100%.  If one of their customers wants to tell them what they're
technologically doing wrong via-a-vis the ACS, to file a bug, etc: I
think the fundamental problem is that they are mistakenly treating the
ACS URL as if it's dynamic, and that they can append "runtime" query
params.  It's not.  It has to be a static unchanging URL.  If dynamic
per-request info needs to be conveyed, it needs to happen via
RelayState (either by value - embedded directly in the query param - or
by reference).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list